 | |||
| Sophos latest virus and spyware detection | Sophos latest suspicious behavior and file detection | Sophos latest adware and PUA detection | Sophos latest controlled applications |
|---|---|---|---|
| XML Troj/Zbot-BXF Troj/Zbot-BXE Troj/ZAccess-BY Troj/Mdrop-EET Troj/Inject-UY Troj/DwnLdr-JZH Troj/DwnLdr-JYM Mal/JavaDldr-I Mal/Farfli-J Andr/Opfake-C | XML Sus/20120183-A Sus/FBScam-A HPsus/BadGuy-B Sus/Encpk-OL Sus/EncPk-LB Sus/JVZelObf-A Sus/EncPk-GI Sus/JavaObf-B Sus/PDFEx-L Sus/JavaObf-A | XML Android Local Root Exploit Hotbar Following The Money Addendum Addendum IEMon HOSTS - legitimate domains blocked or redirected Spytech SpyAgent Installer Office Cyber Alert Gabpath_Contextual_Ads MB ShellSpy | XML 3D Wormhole Akamai Netsession Canon IJ Network Tool Comodo Dragon IndieCity Download Client Kingsoft Internet Security Kingsoft Office Kingsoft PC Doctor Media Finder Notepad++ |
 |
| VirusAlert, de Nederlandstalige bron voor informatie over computervirussen. De ideale aanvulling op antivirussoftware. Dagelijks informatie over computervirussen en hoax-berichten. In het geval van een high-risk virus ontvangt u informatie via de gratis nieuwsbrief. Hieronder informatie over de laatste 10 virussen. |
| VirusAlert |
|---|
| XML Backdoor.Lukicsel JS.Phremous W32.Tozap Trojan.Tracur.B VBS.Sojax WinCE.Fakemini Downloader.Dromedan W32.Masavebe Trojan.Krast trojan.pherbot Backdoor.Meciv |
| SANS Internet Storm Center, InfoCON: green |
|---|
| XML ISC StormCast for Thursday, May 17th 2012 http://isc.sans.edu/podcastdetail.html?id=2542, (Thu, May 17th) (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Reserved IP Address Space Reminder, (Wed, May 16th) As we are running out of IPv4 address space, many networks, instead of embracing IPv6, stretch existing IPv4 space via multiple levels of NAT. NAT then uses reserved IP address space. However, there are more address ranges reserved then listed in RFC1918, and not all of them should be used in internal networks. Here is a (probably incomplete) list of address ranges that are reserved, and which once are usable inside your network behind a NAT gateway. List of Reserved IPv4 Address ranges Address Range RFC Suitable for Internal Network 0.0.0.0/8 RFC1122 no (any address) 10.0.0.0/8 RFC1918 yes 100.64.0.0/10 RFC6598 yes (with caution: If you are a carrier) 127.0.0.0/8 RFC1122 no (localhost) 169.254.0.0/16 RFC3927 yes (with caution: zero configuration) 172.16.0.0/12 RFC1918 yes 192.0.0.0/24 RFC5736 no (not used now, may be used later) 192.0.2.0/24 RFC5737 yes (with caution: for use in examples) 192.88.99.0/24 RFC3068 no (6-to-4 anycast) 192.168.0.0/16 RFC1918 yes 198.18.0.0/15 RFC2544 yes (with caution: for use in benchmark tests) 198.51.100.0/24 RFC5737 yes (with caution: test-net used in examples) 203.0.113.0/24 RFC5737 yes (with caution: test-net used in examples) 224.0.0.0/4 RFC3171 no (Multicast) 240.0.0.0/4 RFC1700 no (or unwise? reserved for future use) Most interesting in this context is RFC6598 (100.64.0.0/10), which was recently assigned to provide ISPs with a range for NAT that is not going to conflict with their customers NAT networks. It has been a more and more common problem that NAT'ed networks once connected with each other via for example a VPN tunnel, have conflicting assignments. Which networks did I forget? I will update the table for a couple days as comments come in. ------ Johannes B. Ullrich, Ph.D. SANS Technology Institute Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Avira Antivirus false positives http://forum.avira.com/wbb/index.php?page=Thread&threadID=144875, (Wed, May 16th) ------ Johannes B. Ullrich, Ph.D. SANS Technology Institute Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. New Version of Google Chrome released (19.0.1084.46) , (Wed, May 16th) ------ Johannes B. Ullrich, Ph.D. SANS Technology Institute Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Microsoft released an update for its Enhanced Mitigation Experience Tool (EMET) http://blogs.technet.com/b/srd/archive/2012/05/15/introducing-emet-v3.aspx, (Wed, May 16th) ------ Johannes B. Ullrich, Ph.D. SANS Technology Institute Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Got Packets? Odd duplicate DNS replies from 10.x IP Addresses, (Wed, May 16th) This is a clarification to Dan's diary from yesterday. We are interested to hear, if anybody else is seeing DNS replies from RFC1918 non-routable IP addresses, in particular from 10.0.0.0/8. So far, we only have one report, and we are trying to figure out if this is something wide spread, or something unique to this user. This reader first noticed the problem when the firewall reported more dropped packets from 10.x addresses. Two example queries that caused the problem are A queries for 25280.ftp.download.akadns.net and adfarm.mplx.akadns.net. The reader receives two responses: One normal response from the IP address the query was sent to, and a second response from the 10.x address. As a result, the problem would go unnoticed even if the 10.x response is dropped. Both responses provide the same answer, so this may not be an attack, but more of a misconfiguration. As a side note, initially the DNS protocol specifically allowed for replies to arrive from an IP address different then the one the query was sent to: Some name servers send their responses from different addresses than the one used to receive the query. That is, a resolver cannot rely that a response will come from the same address which it sent the corresponding query to. This name server bug is typically encountered in UNIX systems. (RFC1035) However, later in RFC2181, this requirement was removed: Most, if not all, DNS clients, expect the address from which a replyis received to be the same address as that to which the queryeliciting the reply was sent. This is true for servers acting asclients for the purposes of recursive query resolution, as well assimple resolver clients. The address, along with the identifier (ID)in the reply is used for disambiguating replies, and filtering spurious responses. This may, or may not, have been intended whenthe DNS was designed, but is now a fact of life. (RFC2181) But we are NOT looking for responses that are coming from the wrong source, but duplicate responses. Once from the correct and once from the incorrect address. Here an example stray packet submitted by the reader (slightly modified for privacy reasons and to better fit the screen) Internet Protocol Version 4, Src: 10.17.x.y, Dst: ---removed--- Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 Total Length: 84 Identification: 0x2a7e (10878) Flags: 0x00 Fragment offset: 0 Time to live: 59 Protocol: UDP (17) Header checksum: correct User Datagram Protocol, Src Port: domain (53), Dst Port: antidotemgrsvr (2247) Domain Name System (response) Transaction ID: 0xb326 Flags: 0x8400 (Standard query response, No error) 1... .... .... .... = Response: Message is a response .000 0... .... .... = Opcode: Standard query (0) .... .1.. .... .... = Authoritative: Server is an authority for domain .... ..0. .... .... = Truncated: Message is not truncated .... ...0 .... .... = Recursion desired: Don't do query recursively .... .... 0... .... = Recursion available: Server can't do recursive queries .... .... .0.. .... = Z: reserved (0) .... .... ..0. .... = Answer not authenticated .... .... ...0 .... = Non-authenticated data: Unacceptable .... .... .... 0000 = Reply code: No error (0) Questions: 1 Answer RRs: 1 Authority RRs: 0 Additional RRs: 0 Queries ads.adsonar.akadns.net: type A, class IN Name: ads.adsonar.akadns.net Type: A (Host address) Class: IN (0x0001) Answers ads.adsonar.akadns.net: type A, class IN, addr 207.200.74.25 Name: ads.adsonar.akadns.net Type: A (Host address) Class: IN (0x0001) Time to live: 5 minutes Data length: 4 Addr: 207.200.74.25 (207.200.74.25) http://www.faqs.org/rfcs/rfc1035.html http://www.faqs.org/rfcs/rfc2181.html ------ Johannes B. Ullrich, Ph.D. SANS Technology Institute Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. ISC StormCast for Wednesday, May 16th 2012 http://isc.sans.edu/podcastdetail.html?id=2536, (Wed, May 16th) (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Odd DNS replies from 10 nets and RFC1323 impacting firewalls, (Tue, May 15th) Reader Bob wrote in reportingseeing increasingly frequent incoming DNS replies on UDP 53, with valid DNS answers, but coming from source addresses in the 10.x.x.x/8 range. The responses appear to be from the Internet Roots to DNS servers that are querying the root. Anyone else see this kind of behavior? Over the past week another couple of readers have written in reporting issues accessing the ISC web page. The SANS NOC reports thatRFC-1323timestamps were getting scrubbed by our firewall to prevent information disclosure, but the checksum wasn't being updated. The packet wassubsequently dropped by the end device. This appears to be impacting users using Bluecoat web proxies. We will have more to post on this topic throughout the day. RFC1323 describes TCP extensions used to improve performance over high delay networks and high speed networks These include Scaled Window Options, Round Trip Time Measurement (RTTM), and protection against Wrapped Sequence Numbers (PAWS) Scaled window options are implemented by bit shifting the 16bit window field into a 32 bit field by adding an option indicating how many placeholders to shift (or multiply by) to get the real window size. Recall the window size is how many bytes a node can buffer before it needs the transmitter to slow down. TCPDump displays this option as WS=6 for a factor of 6 in the TCP options Wireshark displays this option as for example: Window Scale: 7 (Multiply by 128) Round Trip Time Measurement (RTTM), or TCP option 8 contains a Timestamp value or TSval set by the sender with its sending time, a 32 bit value, and Timestamp Echo Reply (TSecr) which is only valid if the accompanying ACK TCP flag is set. This 32 bit value echos a time stamp value set by the other or remote host in a TCP session. These values are tracked over time to estimate and adapt to changing traffic conditions. PAWS provide a simple mechanism to reject old duplicate segments that might corrupt an open TCP connection. It uses the same timestamps in RTTM, The basic idea is that a segment can be discarded as an old duplicate if it is received with a timestamp less than some timestamp recently received on this connection. Here is what Bluecoat has to say on the topic:https://kb.bluecoat.com/index?page=contentid=FAQ1006 PAWS is looking for the timestamp to be advancing and is used to keep as much data in transit as possible between communicating hosts. The risk to data transport in this case is if two hosts or their intermediaries cant negotiate a common method of communicating with or without these options. This can happen with firewalls, as in our case, or incompatible endpoints. It is interesting to note that Windows implemented these options in Windows 2000, but did not enable them by default until Windows 2008. Dan SANS Internet Storm Center Handler Update: ---------------------------------------------------------- Some References I used to look into this today: The RFC: http://www.ietf.org/rfc/rfc1323.txt http://www.networksorcery.com/enp/protocol/tcp/option008.htm http://packetlife.net/blog/2010/aug/4/tcp-windows-and-window-scaling/ http://www.ecr6.ohio-state.edu/window-scaling.html technet.microsoft.com/en-us/library/bb726965.aspx technet.microsoft.com/en-us/library/bb878127.aspx This is by no means an exhaustive article on this topic, it is just a beginning, I will look to other handlers to fill in the gaps as well as look into it more as time goes on. Another discussion that is pertinent is IP options versus TCP options. Staying in IPV4 land for this discussion As the names state IP options and padding are in the Internet Protocol header of a packet, they are the last 32 bits in the Internet protocol (v4) header and TCP options are contained within the TCP header. Using the following page as a reference:http://www.networksorcery.com/enp/protocol/ip.htm#Options.IP options deliver a handful of IP features that in general are not used. Most IPv4 headers begin with version (4 in this case) and the IHL the header length in 32 bit words or 5 as the minimum and default. If options are set then that number varies depending on the options set. For the most part these options are not used, IP options include features like source routing which could permit undesirable results. Each option is described in detail on the reference page above. TCP options are more central to the operation of the protocol the IP options are. IP options add optional features, where as TCP options make the protocol work. A list of TCP options is available here:http://www.networksorcery.com/enp/protocol/tcp.htm#OptionsOption 8 contains the windows scaling discussed above. Other options include Selective Acknowledgement (opts 4 and 5) and Option 3 Window Scale Factor (discussed above and in RFC1323. These options extend and enhance the TCP protocol operation. In conclusion, both TCP and IP offer different options which can enhance the protocols. Understanding them can impact operability and availability of a network. (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. |
 |
| Free content directory of company related articles. All items are available for publication and can be reprinted free of charge as long as the author box remains intact. Build content for your website quickly and easily! Webmasters can take the articles included in this section and incorporate them on their website at no charge whatsoever, as long as the about the author box remains intact. |
| Avira - Latest News |
|---|
| Last updated: Thu, 17 May 2012 18:15:14 +0200 |
| XML Avira Survey Finds Computer Users Don?t Feel Safe on Social Media Sites 84% Worry about Facebook, Google+ and other Social Media Sites Published:Thu, 03 May 2012 00:00:00 +0200 Avira Acquires SocialShield Top-Rated Social Monitoring Service to Be Incorporated into Avira?s Free Security Products Published:Thu, 29 Mar 2012 00:00:00 +0200 Avira Finds Missing Android Phones Worldwide Avira announced today the release of Avira Free Android Security software. Published:Tue, 27 Mar 2012 00:00:00 +0200 Avira Stops PC Viruses From Spreading Via Mac Avira announced today the release of Avira Free Mac Security software. The software is available for free download to the expanding universe of Mac owners. Published:Tue, 27 Mar 2012 00:00:00 +0200 Kachingle Premium to Revolutionize Freemium Conversions Kachingle announces Kachingle Premium ? a usage-based micropayment service that turbocharges Freemium to Premium conversions. Avira signs up as a charter vendor. Published:Fri, 23 Mar 2012 00:00:00 +0100 |
|
| Use Avira's Latest Threats RSS to keep track of the newest multi-language malware descriptions posted on our website automatically. For details, plese visit our website: www.avira.com. |
| Avira - Latest Threats Descriptions |
|---|
| Last updated: Thu, 17 May 2012 18:15:14 +0200 |
| XML TR/Skelf.A Danger Level: Medium Threat VDF version: 7.11.30.90 Published date: Thu, 17 May 2012 14:25:18 +0200 Complete description for this threat can be found here. Published:Thu, 17 May 2012 14:25:18 +0200 TR/Dldr.Zeagle.A.49 Danger Level: Low Threat VDF version: 7.11.29.72 Published date: Wed, 16 May 2012 08:08:16 +0200 Complete description for this threat can be found here. Published:Wed, 16 May 2012 08:08:16 +0200 JS/Blacole.CV Danger Level: Low Threat VDF version: 7.11.29.202 Published date: Mon, 14 May 2012 04:31:20 +0200 Complete description for this threat can be found here. Published:Mon, 14 May 2012 04:31:20 +0200 EXP/2011-3544.EL.1 Danger Level: Medium Threat VDF version: 7.11.29.132 Published date: Mon, 14 May 2012 03:42:40 +0200 Complete description for this threat can be found here. Published:Mon, 14 May 2012 03:42:40 +0200 EXP/10-0840.CI.1 Danger Level: Medium Threat VDF version: 7.11.27.250 Published date: Mon, 14 May 2012 03:25:04 +0200 Complete description for this threat can be found here. Published:Mon, 14 May 2012 03:25:04 +0200 |
 |
| SecurityFocus is the most comprehensive and trusted source of security information on the Internet. We are a vendor-neutral site that provides objective, timely and comprehensive security information to all members of the security community, from end users, security hobbyists and network administrators to security consultants, IT Managers, CIOs and CSOs. |
| SecurityFocus Vulnerabilities |
|---|
| XML Vuln: Pligg CMS 'status' Parameter SQL Injection Vulnerability Pligg CMS 'status' Parameter SQL Injection Vulnerability Vuln: ImageMagick Multiple Denial of Service Vulnerabilities ImageMagick Multiple Denial of Service Vulnerabilities Vuln: ImageMagick Buffer Overflow and Denial of Service Vulnerabilities ImageMagick Buffer Overflow and Denial of Service Vulnerabilities Vuln: ImageMagick 'configure.c' Configuration File Loading Local Privilege Escalation Vulnerability ImageMagick 'configure.c' Configuration File Loading Local Privilege Escalation Vulnerability Bugtraq: [SECURITY] [DSA 2473-1] openoffice.org security update [SECURITY] [DSA 2473-1] openoffice.org security update Bugtraq: FlashPeak SlimBrowser TITLE Denial Of Service Vulnerability FlashPeak SlimBrowser TITLE Denial Of Service Vulnerability Bugtraq: CVE-2012-2334 Vulnerabilities related to malformed Powerpoint files in OpenOffice.org 3.3.0 CVE-2012-2334 Vulnerabilities related to malformed Powerpoint files in OpenOffice.org 3.3.0 Bugtraq: CVE-2012-2149 OpenOffice.org memory overwrite vulnerability CVE-2012-2149 OpenOffice.org memory overwrite vulnerability More rss feeds from SecurityFocus News, Infocus, Columns, Vulnerabilities, Bugtraq ... |
